Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1974: Analytic 1974

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of generative artificial intelligence (i.e. Phishing, Phishing for Information).

EnterpriseAN1974AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1974 is a detection analytic for pre-compromise activity where much of the relevant behavior may occur outside the target organization’s direct visibility. Its practical value is in setting expectations: executives and security leaders should not assume internal logs alone will prove or disprove this activity. Defensive attention should shift toward observable follow-on behaviors, especially phishing and phishing-for-information patterns that may involve generative artificial intelligence.

Executive priority

Treat this as a visibility and readiness issue rather than a simple alerting problem. Because the activity is described as largely outside organizational visibility and applies to the PRE platform, leaders should ask whether security programs have enough external-facing threat intelligence, phishing reporting, email security evidence, and incident response playbooks to make decisions when direct telemetry is limited. This matters for business continuity, identity protection, audit evidence, and incident triage because early signs may appear as suspicious outreach rather than malware or endpoint activity.

Technical view

SOC, detection engineering, and IR teams should validate coverage around behaviors related to Phishing and Phishing for Information, since the official description points detection efforts toward those areas. Priority should be placed on confirming what evidence is available for suspicious messages, credential-seeking outreach, user reports, and externally sourced intelligence. Because no official detection logic, tactics, or relationships are supplied, teams should avoid treating this analytic as a complete rule and instead use it as a prompt to assess pre-compromise visibility gaps.

Likely telemetry

  • Email security gateway and message trace data for suspected phishing activity
  • User-reported phishing submissions and help desk/security mailbox intake
  • Identity and access logs that may show follow-on credential use after suspicious outreach
  • Threat intelligence or external monitoring related to phishing infrastructure or campaigns
  • Security awareness and phishing investigation case records

Detection direction

  • Validate whether phishing and phishing-for-information investigations preserve enough message, sender, link, attachment, and recipient context for analysis.
  • Tune triage processes for suspicious outreach that may appear well-written or personalized, while recognizing that the supplied ATT&CK text only references potential generative AI use and does not provide a specific detection signature.
  • Correlate reported phishing with identity events where available, but avoid assuming compromise from message receipt alone.
  • Document blind spots where activity occurs outside organizational visibility, especially before a message reaches enterprise-controlled systems.
  • Use the MITRE reference to link this analytic to related phishing-focused detection strategy work rather than deploying it as a standalone high-confidence detector.

Mitigation priorities

  • Prioritize resilient phishing reporting, triage, and escalation workflows so weak external visibility is offset by rapid internal reporting.
  • Ensure email security, identity monitoring, and incident response teams can share evidence during suspected phishing or information-seeking events.
  • Maintain user awareness and verification procedures for credential requests, sensitive information requests, and unusual outreach.
  • Review logging retention for email and identity systems so investigations have sufficient historical context.
  • Capture control gaps as risk evidence for security leadership, especially where pre-compromise activity cannot be directly observed.
Analyst notes and limits

The official object is a detection analytic in the enterprise ATT&CK domain with platform PRE. The supplied description emphasizes that much activity may happen outside the target organization’s visibility and recommends focusing detection on potential generative AI-related behaviors connected to Phishing and Phishing for Information. No official detection content or relationship context was supplied.

This take is constrained by sparse ATT&CK fields. The object provides no tactic, no detection logic, no relationships, no aliases, and no evidence of active exploitation or attribution. Local telemetry, email architecture, identity controls, and incident handling data are required to determine actual coverage.

Official MITRE ATT&CK definition

Analytic 1974

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of generative artificial intelligence (i.e. Phishing, Phishing for Information).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
05bed0a9497fe98a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 05bed0a9497f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1974
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use